Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
629
Views
0
Helpful
5
Replies

Multiple IPs and SIP after upgrade from ASA 7.2(2) to 9.2(4)

WillemPaul
Level 1
Level 1

‎02-27-2018 02:00 AM - edited ‎02-21-2020 07:27 AM

Recently we decided at the office to upgrade our ASA firewalls to a newer version, up from version 7.2(2). We have 5 external IPs, x.x.x.13 up to x.x.x.17, these are all linked to different servers (http, https). Only the x.x.x.13 address is configured on the outside interface. Via NAT static rules traffic is redirected to the correct servers.

For our phones (SIP) we use a server hosted at a third party, and even though there does not seem to be any specific configuration in our 7.2(2) ASA, it works. I reckon this is because of the inspect SIP part of the configuration.

 

We had two ways of upgrading:

1) Upgrade firmware and let the upgrade process the configuration and update it to match the new firmware version.

2) Upgrade firmware, reset to defaults, start from scratch with the configuration.

 

The first path lead to a partially working configuration. There were warnings about interfaces looping on themselves and our SIP phones did not work properly anymore (could not receive any calls). Further more, someone had once messed around with the configuration of WebVPN and polluted the configuration with lots of unnecessary things.

The second path had a similar issue with SIP and initially with port forwards as well. Under 7.2(2) there was a NAT rule defined, a dynamic policy (source any destination any) for the inside and outside interfaces. This rule is what triggered the warnings for the first path and I was unsure how to recreate it properly for the second path.

 

My questions are as follows:

A) Does our setup with multiple IP addresses, only one configured on an outside interface, forwards to internal systems via NAT etc. classify as NAT, or PAT, or something else? This would help me in figuring out the right configuration.

B) What is the purpose of the dynamic policy? And how is this recreated in a post 8.3 configuration?

C) What do you need in a post 8.3 configuration to make SIP work? I know the IP of the external SIP server, do I need to add this to an ACL?

 

I do have some experience with setting up ASAs via the CLI, but I also use ASDM for some other things. Either way help would be appreciated, be it via CLI commands or ASDM instructions.

Labels:
0 Helpful
5 Replies 5

Bogdan Nita
VIP Alumni
VIP Alumni

‎02-27-2018 03:46 AM

A) the number of public IPs available for NAT/PAT does not dictate if you have NAT or PAT, it depends on the polices you set up
NAT is mapping IPs one-to-one and keeps port intact
PAT maps multiple inside addresses to one IP using different port numbers


B) Dynamic NAT—A group of real IP addresses are mapped to a (usually smaller) group of mapped IP addresses, on a first come, first served basis. Only the real host can initiate traffic.
https://www.cisco.com/c/en/us/td/docs/security/asa/asa83/configuration/guide/config/nat_overview.html
config example:
PRE 8.3:
nat (inside) 1 192.168.0.0 255.255.255.0
global (outside) 1 x.x.x.13
POST 8.3:
object network obj-192.168.0.0
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic x.x.x.13
you can find a lot more examples at:
https://supportforums.cisco.com/t5/security-documents/asa-pre-8-3-to-8-3-nat-configuration-examples/ta-p/3116375


C) It does depend on your config, if you have acls on your higher security interface you will need to allow SIP traffic and because it is an external provider I believe you need to NAT in the public IP that they are expecting.

 

HTH

Bogdan

0 Helpful

WillemPaul
Level 1
Level 1
In response to Bogdan Nita

‎02-27-2018 04:43 AM - edited ‎02-27-2018 04:47 AM

Regarding your answer for B, I am running into some problems.

When I enter the commands as you provided them, I notice 192.168.1.0 instead of 192.168.0.0. Is this intentional?

Also when I enter: nat (inside,outside) dynamic x.x.x.13
I get an error:     Address x.x.x.13 overlaps with outside interface address.

after which the ASA refuses to use it in the NAT configuration.

 

If I understand it correctly, I should change that line into: nat (inside,outside) dynamic interface
or is that assumption false?

0 Helpful

Bogdan Nita
VIP Alumni
VIP Alumni
In response to WillemPaul

‎02-27-2018 06:02 AM - edited ‎02-27-2018 06:08 AM

You are correct, I mistyped the subnet.

If you have the IP configured on the interface you can use the interface keyword.

 

PRE 8.3:
nat (inside) 1 192.168.0.0 255.255.255.0
global (outside) 1 x.x.x.13
POST 8.3:
object network obj-192.168.0.0
subnet 192.168.0.0 255.255.255.0
nat (inside,outside) dynamic interface

 

One more thing I wanted to mention, a great tool to verify your NAT config is packet-tracer.

For example if you run  packet-tracer input inside icmp 192.168.0.10 8 0 8.8.8.8

You should receive at the NAT phase something like:

Additional Information:
Dynamic translate 192.168.0.10/0 to x.x.x.13/32345

0 Helpful

WillemPaul
Level 1
Level 1
In response to Bogdan Nita

‎02-27-2018 06:26 AM

Using the information you provided and the list of required port forwards, I have put together the following configuration (show running-config). I've left out the actual public IPs (x.x.x.13 etc) and the VOIP server IP (y.y.y.130). Do you see anything that might cause issues in here?

The tricky thing is I cannot easily test this live because of our USA office (we are located in Europe) also uses our servers. The only time I can test this without consequences, is between 12AM and 8AM, during which I am not at the office.

ASA Version 9.2(4)25 
!
hostname Sylvanas
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 12
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 description Fiber
 nameif inside
 security-level 100
 ip address 192.168.0.253 255.255.255.0 
!
interface Vlan2
 description LAN
 nameif outside
 security-level 0
 ip address x.x.x.13 255.255.255.248 
!
interface Vlan12
 description ADSL
 nameif backup
 security-level 0
 ip address 192.168.2.200 255.255.255.0 
!
ftp mode passive
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network obj-192.168.0.0
 subnet 192.168.0.0 255.255.255.0
object network https_14
 host 192.168.0.2
object network http_14
 host 192.168.0.14
object network http_15
 host 192.168.0.16
object network https_15
 host 192.168.0.16
object network http_16
 host 192.168.0.6
object network https_16
 host 192.168.0.6
object network https_17
 host 192.168.0.17
access-list outside_access_in extended permit tcp any object http_14 eq www 
access-list outside_access_in extended permit tcp any object https_14 eq https 
access-list outside_access_in extended permit tcp any object http_15 eq www 
access-list outside_access_in extended permit tcp any object https_15 eq https 
access-list outside_access_in extended permit tcp any object http_16 eq www 
access-list outside_access_in extended permit tcp any object https_16 eq https 
access-list outside_access_in extended permit tcp any object https_17 eq https 
access-list outside_access_in extended permit tcp host y.y.y.130 eq sip any eq sip 
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu backup 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
 nat (inside,outside) dynamic interface
object network obj-192.168.0.0
 nat (inside,outside) dynamic interface
object network https_14
 nat (inside,outside) static x.x.x.14 service tcp https https 
object network http_14
 nat (inside,outside) static x.x.x.14 service tcp www www 
object network http_15
 nat (inside,outside) static x.x.x.15 service tcp www www 
object network https_15
 nat (inside,outside) static x.x.x.15 service tcp https https 
object network http_16
 nat (inside,outside) static x.x.x.16 service tcp www www 
object network https_16
 nat (inside,outside) static x.x.x.16 service tcp https https 
object network https_17
 nat (inside,outside) static x.x.x.17 service tcp https https 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.18 1 track 1
route backup 0.0.0.0 0.0.0.0 192.168.2.254 254
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
sla monitor 123
 type echo protocol ipIcmpEcho x.x.x.18 interface outside
 num-packets 3
 frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
!
track 1 rtr 123 reachability
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd address 192.168.0.20-192.168.0.147 inside
dhcpd dns 192.168.0.2 8.8.8.8 interface inside
dhcpd domain mydomain.local interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
0 Helpful

Bogdan Nita
VIP Alumni
VIP Alumni
In response to WillemPaul

‎02-27-2018 07:48 AM

I have no way of knowing if the config is going to work or not, because I do not know what the requirements are, but I do not see anything that stands out in the config.

Considering you are doing a remote upgrade I would make sure the ASA is reachable after the upgrade:
- add no shutdown to the interface config
- temporary permit access from specific IPs to the public IP
- allow ssh, asdm can sometimes be unreliable especially if you are doing an upgrade
- prepare for the worse case scenario in which the ASA is not reachable anymore

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card